SIA Fluxy One
Rupniecības iela 16-14B, Riga, LV-1010, Latvia
Email: legal@fluxy.one
DPO: dpo@fluxy.one
Support: support@flxy.io

Note: This document is the official English version. In the event of any discrepancies between this version and translations into other languages, the English version shall prevail.

1. GENERAL PROVISIONS

1.1. Parties and Subject Matter

This Agreement ("Agreement") is entered into by and between SIA Fluxy One (Reg. No. LV40203559086, Latvia), hereinafter referred to as the "Operator," "We," or "Fluxy," and the legal entity or individual accepting these terms, hereinafter referred to as the "Client" or "You."

Operator's Role:
The Operator acts in a dual capacity depending on the nature of services provided:

(a) As Technical Infrastructure Provider:

• For self-service DPP creation and management
• Client retains full responsibility for data accuracy and regulatory compliance
• Operator provides hosting, technical infrastructure, and AI-assisted tools
• Similar role to cloud hosting providers under DSA principles

(b) As Licensed DPP Operator:

• For managed DPP services (when explicitly agreed in writing)
• Operator may verify, validate, or certify DPP content
• Operator assumes enhanced regulatory obligations
• Specified in individual Service Agreements or Order Forms

Default Role: Unless otherwise specified in a signed Order Form, the Operator acts as Technical Infrastructure Provider only.

GS1 Partnership:
The Operator is an Official Solution Partner of GS1 Belgium & Luxembourg and grants the Client access to the flxy.io platform ("Service") for the creation, management, and storage of Digital Product Passports (DPP).

1.2. Conclusion and Acceptance

(a) Acceptance:
The Agreement is deemed concluded from the moment the Client performs the first of the following actions:

• Registration of an account on the Website;
• Payment of an invoice issued by the Operator or an Authorized Regional Representative;
• Commencement of API usage or data upload.

(b) Form of Agreement:
This Agreement is concluded electronically. Upon written request by the Client sent to legal@fluxy.one, the Operator shall provide a PDF copy certified by a Qualified Electronic Signature (eIDAS) of an authorized representative.

1.3. Authorized Resellers

If the Client purchases services through an Authorized Regional Representative (hereinafter "Reseller"):

• (a) Financial terms (currency, payment deadlines) are governed by the agreement between the Client and the Reseller;
• (b) This Agreement remains the sole document regulating the use of the Software, data rights, SLAs, and the Operator's liability;
• (c) The Reseller has no authority to modify the terms of this Agreement or make warranties on behalf of the Operator.

2. USE OF SERVICES AND STANDARDS

2.1. Deliverables

Under the subscription, the Client obtains the right to create DPPs, each of which includes:

• (a) GS1 Digital Link: A unique product web address (URI) (e.g., https://dpp.flxy.io/01/...) that resolves to the product passport;
• (b) QR Code: A graphic file (PNG/SVG) for packaging, compliant with ISO/IEC 18004 standards;
• (c) Data Hosting: Product data storage in a structured format compliant with Regulation (EU) 2024/1781 (ESPR);
• (d) API Access: Access to data for integration with corporate systems.

2.2. Mandatory Standards (GTIN & GS1)

The Service operates based on international GS1 standards. To use the Service, the Client is required to assign valid GTINs (Global Trade Item Numbers) issued by a licensed GS1 member organization to its products.

Client Warranties:

• Client owns or has valid license to use all GTINs entered into the Service
• Client will NOT use GTINs belonging to other companies or products not manufactured/distributed by Client
• Unauthorized use of GTINs may result in immediate account suspension and legal liability

Local or internal codes not compliant with the GS1 standard are not supported.

2.3. ESPR Compliance and Regulatory Changes

(a) The Operator warrants that the technical architecture of the DPP complies with the requirements of the ESPR Regulation and applicable EU Delegated Acts.
(b) In the event of changes to requirements by the European Commission or Customs Authorities, the Operator undertakes to update the Service. If such changes require data updates by the Client, the Operator shall notify the Client within a reasonable timeframe.

2.4. Usage Restrictions

The Client is prohibited from using the Service to create passports for counterfeit, illegal, or sanctioned products. The Operator reserves the right to remove any DPPs violating these rules.

Prohibited Content:

• Counterfeit or fraudulent certifications
• Unauthorized use of GTINs (Section 2.2)
• Products banned under GPSR or product safety regulations
• Illegal goods (weapons without licenses, controlled substances)
• Sanctioned products or transactions (Section 8)

2.4.1. Emergency Response to Complaints (NEW)

If the Operator receives a complaint (from a consumer, competitor, regulator, or IP holder) alleging that a Client's DPP contains:

• False or misleading information
• Infringing content (trademark, copyright)
• Unsafe product warnings
• Violations of GPSR/ESPR

Response Process:

• Acknowledgment: Within 4 hours of receiving complaint
• Investigation: Within 24 hours, the Operator will: Review the complaint and Client's DPP content; Contact Client via email for clarification; Request evidence (certificates, licenses, documentation)
• Decision: Within 24 hours of investigation completion: If complaint is valid: Immediate takedown (DPP suspended, QR code disabled); If complaint is invalid: No action, complainant notified
• Notification: Within 2 hours of takedown: Email to Client with reason for suspension; 7-day appeal window; Option to correct and republish (if issue is fixed)

Appeal Process: Submit appeal to legal@fluxy.one within 7 days. Provide evidence (test reports, GS1 license, trademark registration). Operator reviews within 3 business days. If appeal successful, DPP reinstated.

No Liability for Takedowns: Operator is NOT liable for damages resulting from takedowns (lost sales, reputational harm). Takedowns are made in good faith based on available information. Client indemnifies Operator for any claims arising from Client's content (Section 6.3).

3. CLIENT DATA AND AI

3.1. Data Ownership

The Client retains full and exclusive ownership of all data ("Client Data") uploaded to the Service. The Client bears sole responsibility for the accuracy, completeness, and legality of the content.

Client Responsibilities:

• All product data is accurate and not misleading
• All mandatory ESPR/GPSR fields are complete
• Data is updated when product specifications change
• All content complies with applicable laws and does not infringe third-party rights

3.2. Use of AI (Human-In-The-Loop)

(a) AI Technologies: The Service utilizes Generative AI (GenAI) technologies to assist in data entry, including: Auto-completion of product fields; Extraction of data from uploaded documents (OCR); Translation of content (see Section 3.2.1); Suggestion of compliance-related information.

(b) Verification Obligation: The Client acknowledges that AI is an assistive tool and may produce errors. The Client is obliged to verify all data prior to publication. The Operator shall not be liable for the publication of unverified data.

(c) Model Training: The Operator guarantees that Client Confidential Data is NOT used to train public AI models. Only anonymized meta-data may be used to improve internal algorithms.

3.2.1. AI-Powered Translation (NEW)

For Clients using multilingual DPP features:
The Service uses AI-powered translation to make product data accessible in multiple languages. The process is as follows:

Step 1: Input (Client's Language)

• Client enters product data in any language (e.g., Latvian, German, Spanish, French)
• This is the original source data

Step 2: Master Data Translation (English)

• Client's input is automatically translated into English (Master Data) using: Google Cloud Translation API, Google Vertex AI, Google Gemini models
• Master Data is structured in JSON format compliant with ESPR and GS1 standards

Step 3: Consumer Display (24+ Languages)

• English Master Data is automatically translated into 24+ languages:
  • EU Official Languages (24): Bulgarian, Croatian, Czech, Danish, Dutch, English, Estonian, Finnish, French, German, Greek, Hungarian, Irish, Italian, Latvian, Lithuanian, Maltese, Polish, Portuguese, Romanian, Slovak, Slovenian, Spanish, Swedish
  • Additional Languages: Norwegian, Icelandic, Turkish, Russian, Ukrainian
• Consumers see product information in their preferred language when scanning QR codes

Step 4: Version Control and Data Retention

• Every change triggers a new translation cycle: Original → English Master Data → 24+ languages
• All versions are logged with: Timestamps (date and time of change), Content hashes (SHA-256) for data integrity
• THREE JSON files stored (CRITICAL for legal compliance):
  • Original Language JSON — Client's input in the language entered (e.g., Latvian, German, French) — LEGALLY REQUIRED for client liability protection
  • Master Data JSON (English, ESPR-compliant) — Used for regulatory reporting to EU Commission
  • International JSON (24+ languages) — Consumer-facing translations

Client Obligations: Before publishing a DPP with AI translations, Client MUST: Review AI-generated translations (at minimum, English Master Data); Verify accuracy of safety-critical information; Manually correct any errors in the platform dashboard; Confirm that all 24+ language versions are acceptable (or disable specific languages). If Client discovers translation errors after publishing: Update the source data in the dashboard; AI will automatically re-translate (new version created); Old version remains in archive (10+ years, per ESPR).

3.3. License for Data Transfer

The Client authorizes the Operator to transfer DPP data to: (a) The European Commission's central registry (Product Passport Registry); (b) National customs authorities of EU Member States; (c) Public access (for consumers) via QR code scanning; (d) Third-party independent DPP hosting providers (to ensure long-term accessibility per ESPR Art. 8).

4. FEES AND TAXES

4.1. Payment Methods

Payment is made based on an Invoice via one of the following methods: Direct Bank Transfer (SEPA/SWIFT); Payment Systems (Stripe, PayPal, RevolutPay); Payment via an Authorized Regional Representative.

4.2. VAT Treatment

(a) EU Clients: Service fees include Latvian VAT (21%) unless the Reverse Charge mechanism applies to the Client.
(b) Non-EU Clients: Services are classified as export (B2B) and are not subject to Latvian VAT (0%). The Client is solely responsible for calculating and paying any local taxes (VAT, Withholding Tax/WHT) applicable in their jurisdiction.

4.3. Price Fixing

Prices are fixed for the paid Subscription Period. Upon renewal, the Operator reserves the right to index prices, but by no more than the CPI (Eurozone) + 5% per annum.

5. TERM, TERMINATION, AND ARCHIVING

5.1. Suspension of Access

The Operator has the right to suspend access in the event of: (a) Non-payment of services (exceeding 14 days); (b) Identification of material breaches (counterfeit certificates, IP infringement, unauthorized GTINs) following notification and a cure period (7 days); (c) Valid complaint requiring emergency takedown (Section 2.4.1).

5.2. Long-Term Archiving (ESPR)

Upon termination of the Agreement, the Operator ensures the preservation of published DPPs in a "Passive Archive" mode (read-only access for end-users/regulators, with no editing rights for the Client) for the duration established by the ESPR Regulation (up to 10-15 years).

Why this is required: ESPR mandates long-term data retention for product traceability; Regulators may inspect products years after sale; Customs authorities need historical data for import/export compliance.

5.2.1. Version Control and Audit Trail (NEW)

All DPP changes are logged:

• Timestamp: Date and time of modification
• Content hash: SHA-256 hash of all three JSON files:
  • Original Language JSON (Client's input in original language)
  • Master Data JSON (English, ESPR-compliant)
  • International JSON (24+ consumer languages)
• User ID: Who made the change
• Change log: What fields were modified

What data is provided to regulators:

• Original language input (what Client actually entered) — PRIMARY source of truth for Client's legal liability
• English Master Data (ESPR-compliant JSON) — for EU Commission reporting
• All versions (via version control system)
• Audit trail (timestamps, hashes, changes)

Why original language storage is CRITICAL:

• Regulators want to see what Client entered, not just AI translations
• Original language proves Client's compliance intent and protects Client's liability
• If AI mistranslates safety warning, original language shows Client entered it correctly
• Required for regulatory disputes and legal proceedings

Audit trail available to:

• Client (via dashboard, for Client's own DPPs)
• Regulators (upon legal request, with 72-hour notice to Client)
• Law enforcement (with valid court order)

Retention: Logs stored for 10+ years (same as DPP archive).

6. LIABILITY

6.1. Limitation of Liability

(a) Infrastructure vs. Content: Operator is responsible for: Technical availability (99.5% uptime), Data security, Platform functionality, Emergency response. Operator is NOT responsible for: Accuracy or completeness of Client Data; AI translation errors; Regulatory fines for non-compliant DPPs; Product liability claims arising from defective products; Customs clearance delays caused by data; IP infringement by Client.

(b) Liability Cap: The Operator's maximum aggregate liability for any claims arising out of this Agreement is limited to the amount actually paid by the Client during the 12 months preceding the incident.

6.2. Force Majeure

The Parties are released from liability for non-performance of obligations due to circumstances of force majeure (war, sanctions, global internet outages, DDoS attacks, natural disasters, government actions).

6.3. Indemnification by Client (NEW)

Client agrees to indemnify and hold harmless the Operator from: (a) Client's Content: IP infringement, False information, Violations of GPSR/ESPR; (b) Regulatory Penalties; (c) Product Liability; (d) Unauthorized GTINs.

7. CONFIDENTIALITY

7.1. Definition: "Confidential Information" includes any non-public information transferred by one party to the other, including Client Data, technical specifications of the Service, pricing, and contract terms.

7.2. Obligations: The Receiving Party undertakes NOT to disclose Confidential Information to third parties (except to affiliates and consultants under NDA) and to use it solely for the performance of the Agreement. Exceptions: Information already public; Required by law.

8. SANCTIONS AND EXPORT CONTROL

8.1. Sanctions Warranties: The Client represents and warrants that neither the Client, nor its beneficial owners, directors, or affiliates are listed on any sanctions lists ("Sanctioned Persons") administered by: EU, OFAC, UN, UK (HMT) or Latvia.

8.2. Prohibited Use: The Client undertakes NOT to use the Service: For the benefit of Sanctioned Persons; In territories subject to comprehensive embargoes; For the creation of DPPs for Dual-Use Goods without appropriate licenses.

8.3. Right to Immediate Termination: In the event of a breach of this section, Fluxy One has the right to immediately block access and terminate the Agreement unilaterally without refund.

9. GOVERNING LAW AND DISPUTE RESOLUTION

9.1. Governing Law: This Agreement is governed by the substantive law of the Republic of Latvia.

9.2. Arbitration: All disputes arising out of or in connection with this Agreement shall be finally settled by the Luxembourg Arbitration Association in accordance with its rules. The language of the arbitration shall be English.

---

APPENDIX A: SERVICE LEVEL AGREEMENT (SLA)

1. UPTIME GUARANTEE

1.1. Target: The Operator guarantees Platform availability (including API and QR code resolution) at a level of 99.5% per calendar month.
1.2. Exceptions: Downtime calculation excludes unavailability caused by: Scheduled Maintenance (with 24-hour notice); Force Majeure; Client-side equipment or network issues.

2. SERVICE CREDITS

2.1. Compensation: In case of failure to meet the Availability Guarantee, the Client is entitled to request compensation (Service Credit):

How to claim: Email legal@fluxy.one within 30 days of the incident. Provide details. Credits applied to next month's invoice.

3. TECHNICAL SUPPORT

3.1. Support Channels: Support is provided via email (support@flxy.io) and ticketing system.

3.2. Target Response Times:

• P1 (Critical): Platform completely unavailable or critical API failure. Response Time: 4 hours (24/7).
• P2 (High): Core functions working with errors or significant degradation of performance. Response Time: 8 business hours.
• P3 (Normal): General usage questions, minor UI bugs, or non-critical inquiries. Response Time: 24 hours.

---

APPENDIX B: DATA PROCESSING ADDENDUM (DPA)

In accordance with Art. 28 GDPR

1. ROLES AND SUBJECT MATTER

1.1. Data Processing Relationship: Under this DPA, the Client acts as the Controller, and Fluxy One acts as the Processor.
1.2. Subject Matter: The subject matter of processing involves personal data contained in: Client's account (employee data); DPP content (supplier contact persons, responsible person information per GPSR). Processing is solely for the purpose of providing the Service.
1.3. Duration: For the duration of the Agreement; Plus retention period (12 months after termination for business records); Plus ESPR archive period (10-15 years for published DPPs).

2. SECURITY MEASURES

The Operator implements the following technical and organizational measures (TOMs):

• Encryption: In transit: TLS 1.3+ for all HTTPS connections; At rest: AES-256 encryption for stored data.
• Access Controls: Multi-Factor Authentication (MFA) for personnel access; Role-based access control (RBAC); Access logging and audit trails.
• Data Integrity: SHA-256 hashes for all DPP versions; Regular backups and recovery testing; Version control system.
• Monitoring: Real-time intrusion detection; Security event logging; Automated alerts for suspicious activity.

3. SUB-PROCESSORS

3.1. General Authorization: The Client grants general written authorization for the engagement of Sub-processors.

3.2. Current Authorized Sub-Processors:

3.3. New Sub-Processors: The Operator shall notify the Client of new Sub-processors at least 30 days in advance via email. Client may object if the sub-processor does not meet GDPR standards.

4. INTERNATIONAL TRANSFERS

4.1. Primary Data Location: All personal data is stored in the European Economic Area (EEA): Primary data center: Google Cloud Platform, Belgium; Backup data center: EU-West (Belgium, Netherlands).
4.2. Google Cloud Certifications: Google Cloud Platform (hosting provider) maintains the following certifications: ISO 27001 (Information Security Management); ISO 27017 (Cloud Security); ISO 27018 (Cloud Privacy); SOC 2 Type II (Security, Availability, Confidentiality).
4.3. Transfers Outside the EEA: Any transfer outside the EEA (to third countries without an adequacy decision) is conducted based on Standard Contractual Clauses (SCCs) approved by the European Commission, which are incorporated herein by reference.
4.4. Supplementary Measures: In addition to SCCs, Operator implements: Encryption in transit and at rest; Pseudonymization where feasible; Data minimization (transfer only necessary data).

5. AUDIT

Upon written request by the Client (no more than once per year), the Operator shall: Provide security audit reports (e.g., SOC 2 Type II or ISO 27001); Allow review of data processing practices; Permit on-site audits (with 30 days' notice, during business hours, at Client's expense).

6. DATA BREACH NOTIFICATION

In the event of a personal data breach, the Operator will: Within 24 hours: Assess the scope and severity; Within 72 hours: Notify Client via email; Within 7 days: Provide detailed incident report (affected data, root cause, remediation).
Client Obligations: If notified of a breach, Client (as Controller) must: Notify supervisory authority within 72 hours (if required under GDPR Art. 33); Notify affected data subjects if breach poses a high risk (GDPR Art. 34).

7. DATA SUBJECT RIGHTS

If a data subject submits a GDPR rights request (access, deletion, correction), Operator will: Forward the request to Client within 3 business days; Assist Client in fulfilling the request (e.g., provide data exports). Response timeframe: 30 days (GDPR Art. 12).

8. RETURN AND DELETION OF DATA

Upon termination of the Agreement: Within 30 days: Operator provides final data export (JSON/CSV); Within 90 days: All personal data deleted from active systems.
Exception: ESPR Archive Data. Published DPPs remain in read-only archive for 10-15 years (legal requirement). Client will be notified when archive data is finally deleted.
Certification of Deletion: Upon request, Operator will provide written certification confirming deletion of all personal data (except archived data).

END OF PLATFORM TERMS OF SERVICE